The Mesa County, Colorado, Sheriff’s Dept accidentally published the personal information of 200,000 “customers:”
The leak started flowing when a county IT employee who had legal access to the database copied it to another server in April of this year. According to the Associated Press, the employee had copied over the database in the form of a giant text file with everyone’s information available in plaintext, assuming that the target server was secure.
This kind of data leak—the kind that occurs as a result of employee actions and not outside “hackers”—is surprisingly common. State employees (and the IRS) seem to always be losing laptops that contain personal information about citizens, and the military recently enacted (another) ban on external disks accessing the network in order to prevent another WikiLeaks bomb from going off.
Security experts warned in the past that employees tend to be the greatest threat to company security—a lesson that the Mesa County sheriff’s department has now learned the hard way.
I can’t help but wonder why the IT employee exported the database to plain text and left it on a server for months — does he suck at SQL and excel at using Find in Notepad? Was this how he backs up his database?
And then, of course, there are the questions about who the custodian and owners of the data were, what policies does the Sheriff’s office have about this sort of thing, and is this going on the employee’s annual review?